4 Conducting Active Reconnaissance

container sec issues

-a cointainer shares the OS kernel, so instability could crash the host -if a container uses all resources it can cause a DoS -if the app has a bug that allows priv escalation, malware could breakout of the container and attack other containers or the host. -an attacker might trick you into launching a malicious container image -Compromised credentials and keys—when a container needs to access a database or service, it will require a secret such as an API key or user name and password to authenticate. If an attacker can intercept the secret or extract it from the image, then they too will be able to access the service.

website enumeration by via http response codes

404 = "Not Found", 403 = "Forbidden", 402 = "Payment Required", 401 = "Unauthorized" (Must authenticate first) 200 = "OK". You can therefore assume that directories which don't return a 404 exist.

transparent firewall

A firewall in transparent mode acts like a switch rather than a router. Although it filters traffic, nodes on both sides of it are in the same subnet. Piping | is used to take the output of one cmdlet and output it to the other.

Null Session

Allos a client to make an unathenticated connection to the IPC$ (inter-process communication). Pre win server 2003 this was allowed automatically but is now dissalowwed. However it might be possible to enable null sessions in the hosts security policy.

packet crafting

Alters a packet b4 sending it. This is used to test firewall rules, evade IDS, or cause a DoS. Some popular packet crafting tools include Hping/Hping3, Nping, Ostinato, Scap, Libcrafter, Yersinia, packETH, Colasoft Packet Builder, and Bit-Twist.

operators

Arithmetic operators. These include addition, subtraction, multiplication, division, and more advanced mathematical operations. Comparison operators. These include checking if operands are equal, if one operand is less than or greater than another operand, and more. Logical operators. These operators connect multiple values together so they can be evaluated, and include AND, OR, and NOT. String operators. These are used in operations that manipulate strings in various ways, including concatenating strings, returning a specific character in a string (slicing), verifying if a specific character exists in a string, and more.

nmap -R 192.168.1.0/24

Attempt to resolve all names with reverse DNS lookup.

my_var=1 if [ $my_var == 1 ] then echo "Correct." else echo "Incorrect." fi

Bash flow: an if statement with a second condition (else). Note that the condition is in brackets and the code to be executed is under a then statement:

my_str="Hello, World!"

Bash variable assignment. Note the lack of whitespace around the equals sign—this is a strict rule in Bash. PowerShell, Python, and Ruby allow whitespace.

Error handling Bash PowerShell Python Ruby

Bash- doesnt have try and catch but uses if statements and | | and && PowerShell- try and catch Python- try and except Ruby- begin and rescue

nmap -O 192.168.1.50

Enable OS detection. Nmap will guess at the OS, but is not always accurate.

CVE vs CWE

CWE stands for Common Weakness Enumeration, and refers to common software weaknesses regardless of vendor or implementation. CVE stands for Common Vulnerabilities and Exposures, and refers to specific vulnerabilities of specific products.

Encoding and Decoding

Character encoding is the process of converting text into bytes, and decoding is the process of converting bytes into text. In many languages and systems, the default encoding is UTF-8 using the Unicode character set. For example, the capital letter C is associated with the positional number U+0043 in Unicode. UTF-8 encodes this number (43) in binary as 01000011

nmap -sT 192.168.1.50

Complete the TCP 3-way handshake. Nmap asks the underlying operating system to establish a connection with the target on the specified port. The default for regular (non-root) users.

bash array

Compound assignment my_arr=(1 "Hello" 3.1) Individual assignment my_arr[0]=1 my_arr[1]="Hello" my_arr[2]=3.1 Referencing an array requires you to wrap it in curly braces. You can reference a specific index of the array: echo ${my_arr[0]} This will print "1". other languages syntax are on 4D pg. 9

nmap -sU 192.168.1.50

Conduct a UDP scan. Because UDP does not use a handshake, a service listening on a UDP port might not send any response. Ports that send a response display as open. Ports that send no response are displayed as open | filtered (unknown). Ports that send an ICMP unreachable error (type 3 code 3) display as closed. Can be used with -sV to help reveal additional open ports, and differentiate if a port is truly open or filtered.

-sI <zombie> <target> nmap -sI -Pn -p- zombie.middle.tld www.company.tld

Conduct a blind TCP port scan (idle scan). No packets are sent directly from your attacker machine to the target. Uses a "zombie" (middle man) host to obtain information about open ports on the target. You have to spend some time identifying a machine that can act as a zombie. Once you locate a good zombie, you can reuse it for more scans.

Dirbuster

Dirbuster is a GUI tool that ships with Kali Linux. Created by the OWASP group, it uses word lists to search for possible directory names on websites.

-PS <portlist>

Discover hosts by sending a TCP SYN to specified port(s). Default is 80. Any response (SYN ACK or RST) indicates the target is up. There can be no space between -PS and the port list. Will be followed by a port scan unless -sn is also used.

nmap -n 192.168.1.0/24

Do not resolve names (saves time).

nmap -sA www.company.tld

Find out if a host/network is protected by a firewall. "Filtered" results indicate firewall is on. "Unfiltered" results indicate port is accessible, but might be open or closed. (See -p option for more information about port states). Run with -A option to determine if accessible ports are actually open or closed (nmap -sA -A www.comptia.org).

Firewall tips n tricks

If a fw does not inspect payload, only the packet type, then you could send malicious trafffic over that port. Say tcp/80 is open, you would then set the destination to 80. a firewall might have a misconfiguration or design flaw that allows a specially crafted packet through, thus eliciting a response from the host.

nmap -A -v 192.168.1.50

Increase verbosity of output.

nmap -sL 192.168.1.50

List the targets that will be scanned.

my_str = "Hello, World!"

No dollar sign is necessary when assigning variables in Python or Ruby

nmap -sn 192.168.1.0/24

No port scan. Discover only, using a combination of ICMP ECHO REQUEST, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request. shows whether hosts are up or down.

nmap -sV 192.168.1.50

Probe open ports to determine service version.

Typical packet crafting techniques

Raising TCP flags in an unusual or illogical manner. Changing source or destination ports. Spoofing IP or MAC addresses. Changing TCP sequence or acknowledgment numbers. Changing IP fragment offsets. Changing the Time-to-Live (TTL) value. Changing Quality of Service (DSCP) values.

rpcclient

Rpcclient has over 200 commands for enumeration and configuration. It runs on Linux and works against both Windows and Linux Samba computers. If you are not already logged onto the target, you must first make a connection, providing a password when prompted. Administrative or SYSTEM level privileges (from a compromised host) will give you the best results.

-oN/-oX/-oS/-oG/-oA nmap 192.168.1.50 -oA results.txt

Save output in normal, XML, script kiddie, Grepable, or all (except script kiddie) formats to the given file name. Default save location is the user's profile (i.e., /root/).

nmap -F 192.168.1.50

Scan fewer ports than default.

nmap -sS 192.168.1.50

Send a TCP SYN to see if the target port responds with a SYN ACK (port is open) or a RST (reset - the port is closed). Also known as a half-open scan as it does not complete the TCP 3-way handshake. This is the default for root users.

nmap -PR 192.168.1.50

Send an ARP request to target to see if there is a response. ARPs are generally not blocked by firewalls. This is the default discovery method for any Nmap scan on an Ethernet LAN.

Syinternals ShareEnum

ShareEnum is a GUI tool that can scan a domain, workgroup, or IP address range for shares. If you are not in a domain, you may have to supply credentials to view the shares of each discovered device. Hidden shares have names that end in $.

nmap -f 192.168.1.50

Split packets (including pings) into 8-byte fragments to make it harder for packet filtering firewalls and intrusion detection to detect the purpose of packets. MTU is the maximum fragment size.

-S <spoofed source address> nmap -e eth0 -S www.google.com 192.168.1.50

Spoofs the source address. Might not return results since the target will try to respond to the fake address. Can be used to confuse IDS or target administrator. Often used with -e or -Pn. May throw binding errors. Spoofed attack should be validated by Wireshark capture on the target. This example makes it appear to target 192.168.1.50 that www.google.com is trying to scan it.

tcp 135 tcp 111

TCP 135 is only seen on Microsoft computers, whereas TCP 111 is usually only seen on Linux/Unix (*nix) computers. (A notable exception is when a Windows server is running Services for Unix.) This is because they are used by their respective operating systems to map incoming client requests to the desired remote-procedure-call-based service. If you see either of these running on the other operating system, you are likely looking at a decoy.

substittution

The act of referencing or retrieving the value of a variable is called substitution. After you assign a value to a variable, you reference that variable later in the code so that you don't need to hard-code values into the script's logic.

net use \\<server-name-or-IP\ipc$ /u:"" ""

The systax for connecting via null session.

avoiding IDS and packet inspection by firewalls A firewall will inspect packets to see if they should be permitted or denied. An intrusion detection system will inspect packets for unusual behavior or malicious payloads, and then log what it observes.

This can be done by: -encrypting the packet or payload. Using unknown signatures -scanning slowly enough to hide a partern of malicious traffic -spoofing by using trusted source ports or addresses

Port-State-Service 8000/tcp open http-alt? There is an unspecified service on port 8000.

To see if it's HTTP, open a browser to http://192.168.1.50:8000. Alternatively, you could use telnet or Netcat to banner grab: telnet 192.168.10.100 8000 (After making the connection, press Ctrl+] to break, then enter quit) echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server

nmap --script=banner.nse 192.168.1.50

Use an NSE script. nmap scripting engine. Where banner is the name of a script

nmap -sV --version-intensity 9 192.168.1.50

Use with -sV. Specifies level of interrogation from 0 (light) to 9 (try all probes).

nmap -vv 192.168.1.50

Very verbose output.

echo $my_str

When referencing variables in Bash, you need to add a dollar sign ($) at the beginning of the variable name: echo $my_str This will print "Hello, World!" to the console.

Write-Host $my_str

When referencing variables in PowerShell, you need to maintain the dollar sign at the beginning of the variable name:

Python: print my_str And Ruby: puts my_str

You don't need to make any changes to a variable's name when referencing it

$my_str = "Hello, World!"

You must use a dollar sign for variable assignment in PowerShell

Bash

a scripting language and command shell for Unix-like systems. It is the default shell for Linux and older versions of macOS®, and has its own command syntax. it can be used to: -Manipulating the output of existing security tools like Nmap, tcpdump, Metasploit, etc. -Automating the creation of files and directory structures.

my_var = 1 if my_var == 1: print "Correct." else: print "Incorrect."

an if statement in Python. The ruby equivalent would use "puts" instead of "prints"

Powershell

an improved windows command prompt that uses cmdlets in the form of verb-noun syntax. Such as Set-Date. These commands are not case sensitive. PS has alias commands that are the same as the linux counterpart. for example Get-Content, and cat do the same thing in powershell. If PW does not have the command you need, you can make custom commands through scripts which can be downloaded at GitHub and Wordpress. To run custom scripts you must run as admin and set PW to run all scripts not digitally signed

python

an object oriented scripting program language with a robust set of libraries that can perform exploitation, fuzzing, network scanning etc. Designed with a lot of whitespace so that it is easy to read.

Error handling, //exception handling

done through a try and catch statement, where try is the code you think will cause an error and the catch is the statement that will display if the error occurs.

Full scan

gathers as much information as possible about the target but are the noiseist and may be detecteed. Detection might be avoided by slowing down the scan and randomizing ports.

nmap -h nmap -V nmap -d 192.168.1.50

help shows nmap version -Enable debugging output. Lists every step Nmap is taking, along with the output.

How might you try to be more stealthy when using nmap?

if you scan slower you are less likely to be detected, use the T 0-5 option where 0 is the slowest.

variable

in object-oriented programming (OOP), any value that is stored in memory and given a name or an identifier. The purpose of variables is to store values for later use, and to enable you to reference these values without explicitly writing them out in the code.

container

like a lightweight vm, a container package may only be 3Mb in size. The container and its application are called a container image. which is a standalone executbale that contains everything it needs to run.

how to find if web sites are using non standard ports

nmap -sV can detect this. If there appears to be an HTTPS server on port 443. You would need to confirm this by opening a browser to https://192.168.1.50.

port numbers tcp: unless specified kerberos nix portmapper RPC SMB microsoft ds- authentication used by SMB

port numbers tcp: unless specified -tcp/88 -111 tcp or udp -tcp/135 microsoft RPC remote procedure call -tcp/139 SMB (legacy) -tcp/445 SMB authentication

compliance scan

scans that verify that your network adheres to certain policy requirements. These policies can be mandated by law, industry, or individual company.

web applications

scripts and executables that are included in the website's HTML. They provide dynamic content to the user and (usually) run on the website's standard TCP 80 and 443 ports. These are often custom made which means they will act differently

Ruby

similar to python, metaploit framework is written in ruby , so ruby could be used to extend MS features. Python is usually faster than ruby and has a bigger library. Ruby has a .rb file extension. puts "Detecting OS..." if RUBY_PLATFORM == "x86_64-linux-gnu" puts "Linux system detected!" end

>= -ge

some languages do not use the traditional symbols for comparison operators. Instead, they use a letter-based syntax. For example, consider that the >= operator evaluates whether the left operand is greater than or equal to the right operand. In letter-based syntax, the operator is -ge. So, 1 -ge 2 outputs to false. Python and Ruby use symbols >= while powershell and bash use letters like -ge

array

stores mulitple values in a single variable. Arrays start with an index of 0. Note that the strictest definition of the term "array" does not allow for different data types. However, all four of the languages discussed in this course can contain different data types. Python specifically calls these objects "lists" to distinguish them from traditional one-type-only arrays. a compound assignment to assigns all values at once

flow control

the order in which code instructions are executed. One major example of flow control is the if statement. a while loop, executes code while some condition is true, and stops executing the code when the condition becomes false. Another type of loop is a for loop, which iterates through code a specific number of times, depending on what you specify. These types of loops are commonly used to process arrays and similar objects.

Enumeration

the process of using various techniques that query a device or service for information about its configuration and resources. If you are already logged in to the target, you can run local commands to query the operating system directly. If not, some tools allow you to make a remote connection. In some cases, you do not need to use a privileged account to obtain good information.

Considerations for Scanning for Vulnerabilities

the scanner may not identify all vuls and may alert false positives. Positives should be tested using Metasploit. Do not rely on a single tool. Vulnr scans can take a long tims you might want to stop the scan after a certain time or make the scan less intense. Web app scans can take days. Concurrent scans on the same host can be disruptinve to the scans, scans may need to be throttled.

discovery scan

used to find live IP addresses on a network for the purpose of revealing potential targets. Traditionally, a discovery scan was a ping sweep, sending an ICMP ECHO REQUEST to every address in the specified range. Hosts that responded were then displayed. Because most modern hosts have software firewalls that disallow ICMP, Nmap discovery scans use other methods besides just ICMP to detect live hosts.

Network scanning

usually the first step in active reconnaissance, where the attacker seeks to discover potentially vulnerable targets. Host discovery Port scanning Packet crafting Device enumeration Vulnerability scanning

web server and database relationship

web servers are often public facing and will have a backen connection to the database server. The db will be on a private network and will use SQL. Databases listen on port 1433 and can be tcp or udp. You have acces to the web server you can try to insert SQL commands onto the database to see if they allow SQL injection.